Getting SPF to work properly

[fiver]

I have gone through earlier messages with a simliar problem and tried the responses and still I am not able to stop the Spam.

Please see below which is an example of the spam that is getting through.

Received: from 212.Red-88-8-205.dynamicIP.rima-tde.net ([88.8.205.212]) by uk-domain.com
with SMTP (Code-Crafters Ability Mail Server 2.63);
Mon, 05 Jan 2009 14:10:24 -0000
To: <ivorsmith@essexrugby.com>
Subject: RE: Message 83259
From: <ivorsmith@essexrugby.com>
MIME-Version: 1.0
Importance: High
Content-Type: text/html

Somehow the spammer is able to obtain my e-mail address and insert it into the from field and I am then getting inundated with spam, not only on this address but on many other addresses whose domains I host.

How can I get the AMS system to check the received line IP address ie Received from from 212.Red-88-8-205.dynamicIP.rima-tde.net ([88.8.205.212])by uk-domain.com and then if the sending domain does not resolve to essexrugby.com the mail is refused or deleted?

Many thanks - Ivor

[Code Crafters]

Your SPF record is "v=spf1 a mx ptr -all" which is perfectly fine and as long as you've enabled SPF checking in the SPAM filters of AMS then this will block any mail from that domain that doesn't come from your allowed IP list (MX A PTR). If you have version 2.60 or later you can also use the Sender Domain Check as a means to force any users sending from your hosted local domains to also log into SMTP authentication or WebMail for relaying access when sending from your domains. Also, make sure that you haven't added any SPAM white lists for your domain as an SMTP sender but you can enable the option on the first SPAM page for relaying exemption so that if you do log into SMTP authentication or WebMail you automatically skill all other SPAM filtering tests.

[Pugglewuggle]

Hi Chris,

I've posted a question on here before about SPF not working and it seems that fiver has EXACTLY the same issue as I have... I had this occur again a few days ago.

Somehow the spammers get existing addresses and then send spam FROM that address and to that address. I get the copy of it just like fiver mentions.

The interesting part: I've had SPF enable for at least a year or two. My previously posted (and still active) TXT record for SPF is this:

v=spf1 a mx ~all

Exactly what you posted, except excluding rDNS addresses and providing a SOFTFAIL instead of a FAIL.

I've also had all of the mentioned security measures in effect for a long time.

Any ideas? What's happening?

[m1byo]

What about using sender domain check?

[Code Crafters]

SPF will block any mails from IPs not listed by your doman's SPF record. However, Sender Domain Check is specifically designed to block anybody sending from your domain without logging into SMTP authentication which will be much more effective for stopping SPAM from your own local domains.

As I said before, note that using SPAM white listing, SPAM relaying exemption or SMTP relaying safe IPs can all bypass SPAM filtering so check that these aren't why the SPAM filters aren't triggering although you should use the relaying exemption to allow authorised users to skip SPAM filtering. White listing should only be used if you have a problem domain that should get through but doesn't because of SPAM filtering. SMTP relay safe IPs should not be used unless absolutely necessary for a scripting computer that can't SMTP auth but needs to send automated mails etc.

[Pugglewuggle]

There is no whitelisting or relay access except for our backup mail server... any other ideas how these are getting through?

[m1byo]

Apologies, I may be missing the point a little bit here, however the following question popped into my head from reading this thread:
Is the FROM & TO address of the spam mail an address on your mail server or is it a completely random address and you get CCd into it?

My comments based on the answers to that question would be:
If the FROM & TO address is on your server then
1. you could use sender domain check
2. Add content filtering for SPF Softfails

If the FROM & TO address is not on your server then
1. Have a look through the SMTP logs, you could potentially find the domain being spammed from does not have an SPF Record in the first place.
2. If there is an SPF Record and it is coming up as Softfail, you will have to add some content filtering in for softfails.


Looking at the SPAM setup for SPF, only the SPF-FAIL and SPF-PERMERROR automatically trigger the SPAM flag, if you wish other SPF errors such as SPF-SOFTFAIL to trigger the spam flag also then you will need to add a content filtering rule which looks at the Custom Event added to the message when it goes through the spam filtering (in my case "SPAM-SPF-SOFTFAIL") and then if that custom event is in a message, set the spam flag.

I hope this is of use.

Ian

[Code Crafters]

Some good comments there from m1byo too. If the domain is one of your own you can also change the SPF records to end with "- all" (minus) instead of "~ all" (tild) to use a FAIL rather than SOFT-FAIL for any IPs that don't match your allowed mail server criteria if you want to be more strict.

I will say again though that Sender Domain Check is still more appropriate than SPF if the domain is hosted on your mail server as that is its intended purpose. However, if the domain is not hosted on your mail server Sender Domain Check does nothing as it only filters for local domains. Please also make sure that you MUST have SMTP authentication enabled for Sender Domain Check to work and more importantly to not be an open relay and get SPAM relaying via your mail server leading to you getting black listed on many RBLs.

If you still believe that the mail is getting through when it shouldn't be, you can forward me your "C:\Program Files\Code-Crafters\Ability Mail Server 2\config" folder (which contains your settings and logs), along with details of the FROM addresses getting through that shouldn't be, to chris@code-crafters.com so that I can check over these and will then post back on here anything that may help, keeping your personal information private of course.

[Pugglewuggle]

Hi guys,

I don't have a custom event defined for SOFTFAIL (which I noticed a while back, but didn't think that would affect this).

The mails are coming from existing local address on the server - not nonexistent ones... the SDC fixed that a long time ago.

SMTP Auth is enabled. We DEFINITELY are not an open relay. I'd shoot myself. We also aren't blacklisted. I check this monthly to weekly and have a service that emails me if we are.

Let me set FAIL for the SPF and we'll see how that works for a while... if it doesn't work I'll forward you that dir.

As for the spam getting through in the first place when using a local address - what's up with that? Shouldn't that not be possible?

Thanks so far!

[Code Crafters]

If you use Sender Domain Check and use both options so that the user must exist on the local domain and also log into SMTP authentication to be allowed to send mail then only users with proper login credentials will be allowed to send via your local domain's. Of course account deatils can be comprimised and you should change these periocially and use antivirus software to prevent viruses infecting your systems etc.

SDC should be all that you need to stop local addresses sending SPAM. With SPF only the FAIL and PERMERROR results will cause the mail to be blocked but all responses give a custom event option so that you can make content filtering rules to act on the custom event triggers to do pretty much anything you want with the mail based on many available content filtering conditions and actions. You can also alternatively change the SPF record to -all (minus) instead of ~all (tild) to force a default of FAIL instead of SOFTFAIL .

[votan]

I'm having the same problem... sender domain check seems to do nothing..... Still am getting spam that appears to be send by myself. Already additionally enabled SPF and added the "v=spf1 a mx ~all" record to the SPF and TXT entries of my DNS server. So everything should be set up fine to reject spam that uses my own email addresses as the "from" entry.... but still, they keep coming in....

[Code Crafters]

If you use the Sender Domain Check you must check the following:

1) You need to either use the reject action on Sender Domain Check or otherwise you need to create a content filter rule to act on the SPAM flag / custom event.
2) SPAM white listing can skip SPAM filtering.
3) SPAM Relaying exemption and / or SMTP relaying safe IPs can skip SPAM filtering.

Check that none of the above are causing no action to be taken. You can also check your SMTP logs for what is happening with your SMTP transactions to see any errors given. If you are really stuck you can send your config folder zipped up to chris@code-crafters.com and I'll have a look at your configuration to see if there are any obvious things stopping this working correctly. However, these will be mainly just the above mentioned things that I'll be checking for.